MAWC – Radford University 2010 Input size validation is good, but not enough … Need to also validate “type” of input. Just validating the size isn’t enough!! Examples (next): SQL injection, HTTP parameter tampering, Cross Site Scripting attack.
MAWC – Radford University 2010 Note: The rest of this lecture is not from the textbook. Please take notes.
MAWC – Radford University 2010 Next: SQL injection attack. Before that: Everything we need to know for the moment about SQL Consider a University database that maintains information about every student such as: –their id, major, the specific concentrations in their major, the core courses of their concentration etc … This information can be organized into multiple tables. E.g., studentTable can contain the columns: student name, SSN, major, courses taken majorTable can contain the columns: information about the major, and different concentrations in the major. concentrations table can contain columns such as concentration name, core courses, electives credit hour requirement etc. Database Management Systems (such as Oracle) provide a language that allows users to create or update such tables and query the tables.
MAWC – Radford University 2010 Everything we need to know for the moment about SQL (2) SQL (Structured query language). –It is the language used to query relational databases such as Oracle. –It falls under a class of programming languages called Domain Specific Languages (DSL). –How is a DSL different from a generic high-level programming language such as Java? As the name suggests DSLs are programming languages very specific to a domain, e.g., databases (or) programming routers. Some of the things you can do with SQL –Create tables in a database. E.g., creating a student table and a concentration –Query tables (multiple tables at a time) to extract information. E.g. What are the core courses a student Xunil must take? This involves querying two tables: student table and concentration table.
MAWC – Radford University 2010 HTTP basics. To understand this attack, we need to know the HTTP protocol. HTTP protocol supports two messages: –GET allows you to download webpages –PUT allows you to upload data/webpages.
MAWC – Radford University 2010 HTML input fields Some HTML causes the browser to generate input forms (pull-downs, checkboxes, text boxes…) Example: a sample forma sample form When user presses "submit", it's just like requesting another web page, except that the input fields are included in the http header.
MAWC – Radford University 2010 Forging input fields A user can 'show-source' to see the HTML the browser gets. We can save-as, edit the file, and then submit w/ bad data! Solutions? Validate the data server-side, too.
MAWC – Radford University 2010 Hidden parameter manipulation attack Objective: If the page uses a hidden input in their HTML page, then alter it for fun and profit. HTML (web pages) support “hidden inputs” in forms. These are fields that are not displayed by the browser but still embedded inside the web page. A web programmer might use these to solve the "http state problem": how to remember on a later page, what was entered on an earlier page. Unfortunately, “Hidden” fields in HTML are not really hidden
MAWC – Radford University 2010 HTML Injection attack In HTML, angle-brackets don't represent text; they represent the structure of the text (e.g. where paragraphs start/end, what text is a header, etc.). If a browser, when receiving a string of HTML, sees a ' < ' it knows to treat that as a tag, not as text.
MAWC – Radford University 2010 HTML Injection attack 2 A server might often create a page containing " Hello, $name, how are you? " where $name was taken from previous user input. What characters might be inside $name, that would confuse the browser? Try this form.this form
MAWC – Radford University 2010 HTML Sanitization (Recall: this is the same problem where user-input was spliced into strings that then were used as SQL queries.) If you want a browser to display a less-than symbol as text, you want to use " < " instead of " < ".
MAWC – Radford University 2010 HTML Sanitization 2 Solution: replace any chars that would represents HTML structure, with a string that represents HTML data: $nameAsHTMLData = sanitizeHTML($name); echo "Hello, $nameAsHTMLData, how are you? "; The function sanitizeHTML just replaces each ' < ' with " < ", etc.
MAWC – Radford University 2010 Tools There are some good tools that will allow you to achieve this attack without going through the preceding steps: –WebScarab This is a web proxy – that you can run on any machine. It simply intercepts all the requests from your browser as well as the responses that your browser gets. Provides controls to edit HTML fields etc. –In upcoming HW, you will be using WebScarab.
MAWC – Radford University 2010 Other type of Application level attacks Race conditions
MAWC – Radford University 2010 Race Condition attacks Attack as a result of interaction between multiple processes. Client: verify the user could write file X 1.Attacker deletes file(name) X 2.Creates symbolic link from X to privileged file (e.g. /etc/passwd ) This requires only directory-write privileges Client: Write file (as root, on behalf of the authorized user) Client: checks file attributes Attacker: changes file permissions in the window between client's checking and use
MAWC – Radford University 2010 Why synchronization is necessary ? Reason 2: Security Example attack: Race condition attacks –Some programs such as gcc/g++ create temporary files –They assume that the temporary file hasn’t changed from the time of creation till they time they write. –Hence, there is a small time window, which can be used by attackers (see figure below). –Called a race condition because two processes (gcc is one, the attacker’s process is the other) are racing to access the same resource. Check if user can write file X Write file X 1.Attacker deletes X 2.Creates symbolic link to privileged file Create temporary File X Delete or write file X 1.Attacker deletes X 2.Creates symbolic link to privileged file
MAWC – Radford University 2010 Next: Cryptography.